Ransomware group makes $260,000 in 5 days after exploiting vulnerability to attack encrypted QNAP devices and then demanding ransom via the dark web

The ransomware group made $260,000 in just five days using the 7zip archive program to remotely encrypt files on QNAP devices by exploiting the QNAP vulnerability.

Beginning Monday, QNAP NAS users from all over the world suddenly discovered that a ransomware called Qlocker used a vulnerability to encrypt the files on their devices.

The ransomware group scanned QNAP devices connected to the Internet and used recently disclosed vulnerabilities to exploit them. These exploits allow threat actors to remotely execute the 7zip archive utility and use passwords to illegally encrypt all files on the victim's NAS storage device.

Using this simple method, they can use the time-proven encryption algorithm built into the 7zip archive utility to encrypt more than a thousand QNAP devices in just five days.

Ransom demand is correctly priced

Ransomware targeting businesses usually requires payment of ransoms ranging from US$100,000 to US$50 million to decrypt all of the victim’s devices without revealing the stolen data.

However, the Qlocker ransomware group chose a different target-consumers and small and medium-sized business owners who use QNAP NAS devices for network storage.

The blackmail gang seems to know their goals well. On the dark web site http://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion/ , they only set a ransom demand at 0.01 bitcoin or today's bitcoin price (about 500 US dollars).

Qlocker ransom demand

The decision to pay millions of dollars requires the company to seriously consider whether the lost data is worth millions of dollars.

However, paying $500 can be seen as a small price to pay for the recovery of important documents, and the victim may not feel the violation.

The Qlocker ransom gang’s decision seems to have paid off, because people eager to recover data have started to pay, earning a considerable return for the ransom gang.

So far, Qlocker’s revenue is nearly $260,000

Since the Qlocker ransomware gang uses a set of fixed Bitcoin addresses, the victims will take turns to pass through these addresses. On Tuesday night, security researcher Jack Cable discovered a brief error that allowed him to recover 55 victims for free Author’s files. While exploiting this vulnerability, he collected 10 different Bitcoin addresses, and BleepingComputer also collected another 10 addresses, so that he can learn about the 20 Bitcoin addresses currently used by the Qlocker ransomware group. 

So far, the 20 bitcoin addresses shown below have received a total of 5.25773523 bitcoins in ransom. This amount is approximately equivalent to US$258,494.

Bitcoin addressBitcoin total payment
34vbPQLgGZwKG2FikitGU6QR7K25aB6Shh0.55216220
37m57HiP5rPceopgEWF9sM58CkzaDFYtaU0.14021317
3Ekwztte7oWR1odC1eKeL2Va4cpBuGXPgU0.09962125
3EPBKN3bcax81U3MdKYUhMC1fzFEFGPC6E0.10915462
3EvCKQ38y8ePUwM4w49XWVtAK7KhYbmeMH0.34801656
3FvLioiqF2TrQgZ9zRMdd7QUfc2hTjKZfL0.08951304
3FXVLv8TmcHNmnfwLfc5g7f2a32xp3XugW0.38088464
3G6fbWX6At9uRzKf6kwS6R6pn5EQ8UsxKY0.16983215
3GfAJxhUen3oqb4sDDnPmXyhs5mDboHbyG0.46134513
3JRdPjB8U3nfDqQHzTqw9yYra49Gsd8Rar0.40133268
3KmK5z4CAvn3aL4Q8F2gWbhuPRy9ZmEurN0.29910901
3Kywg92E877KUWmyaeeLNSXFc5bqBvFbAm0.48277236
3LLzycFNFh7mDsqRhfknfGBa6TKq6HcfwS0.31901320
3Lp1NkJHYsmFRBfM3ggoWsS1PF5hXxrwrD0.32386846
3PDfzkTnD1E7gB7peZ2prRyDxjQ1BhqcV10.14020000
3PunvFGpVWLX7PNAoT3bMDbPQU2QQW4kxN0.15954000
3Q8WmjQyFs1EKCdu415t2P9cxY7AbqorPd0.40031185
3EWRngsRDhCxMHtKxeK6k9kX3pyWZSA2YB0.13081244
3Gwz3yVmrGr5AqmUrAS8H2QQaPz2v9Rhpx0.15965435
3JtUAz4aKUrjcBK47ocdv52tTJkriat1nx0.08999912

If we divide the number of bitcoins earned by the 0.01 BTC that each victim needs to pay, so far, approximately 525 victims have paid the ransom.

Unfortunately, as users make the difficult decision to pay to restore their files, ransoms keep popping up, so this number is likely to increase throughout the weekend to next week.

The blackmail activity is still ongoing, and new victims appear every day. Therefore, all QNAP users must update the latest versions of multimedia consoles, media streaming add-ons and hybrid backup synchronization applications to fix vulnerabilities and defend against these ransomware attacks.

Copyright:
Author:admin
Link:https://www.ondarknet.com/news/ransomware-group-makes-260000-in-5-days-after-exploiting-vulnerability-to-attack-encrypted-qnap-devices-and-then-demanding-ransom-via-the-dark-web/
From:On DarkNet – Dark Web News and Analysis
Copyright of the article belongs to the author, please do not reproduce without permission.

THE END
Share
Qrcode
<<Pre Post
Next Post>>